Support capsicum(4) on FreeBSD

changed milestone to %Tor: unspecified

added 034-removed-20180328 034-triage-20180328 BSD capsicum component::core tor/tor milestone::Tor: unspecified owner::shawn.webb priority::medium reviewer::ahf sandboxing security severity::normal status::assigned tor-relay type::enhancement labels

Milestone renamed

Trac:
Milestone: Tor: 0.2.??? to Tor: 0.3.???

Finally admitting that 0.3.??? was a euphemism for Tor: unspecified all along.

Trac:
Keywords: N/A deleted, tor-03-unspecified-201612 added
Milestone: Tor: 0.3.??? to Tor: unspecified

Remove an old triaging keyword.

Trac:
Keywords: tor-03-unspecified-201612 deleted, N/A added

The tor-core keyword doesn't really make sense now that we have "Core Tor/Tor" for component.

Trac:
Keywords: tor-core deleted, N/A added

Trac:
Reviewer: N/A to N/A
Keywords: N/A deleted, capsicum added

I've started work on this on behalf of HardenedBSD.

Trac:
Username: shawn.webb

Trac:
Username: shawn.webb
Status: new to assigned
Owner: N/A to shawn.webb
Cc: N/A to shawn.webb@hardenedbsd.org

Trac:
Cc: shawn.webb@hardenedbsd.org to shawn.webb@hardenedbsd.org, ln5

I've made a ton of progress on this. I now have a mostly capsicumized Tor. The very basics are working as of this writing.

As it stands, what's left to do:

Write sandbox wrappers for a few more libc calls (gmtime(3), socketpair(2), etc).
Implement proper memory management (like, call free(3) where appropriate).
Clean up a whole freakton of debug code.
Write the Linux equivalent wrapper code (likely macros that just point to the corresponding libc functions).
Build full body-suit armor as the person who's tasked with reviewing the ensuing patch will likely want to stab me.

I will have a solution to demo in place by the time the Montreal meetup happens.

Trac:
Username: shawn.webb

Tor has an existing abstraction layer for accessing seccomp'd syscalls on Linux, using a bunch of functions prefixed with sandbox_. Is it possible to extend or modify that abstraction layer, rather than adding a separate interface for FreeBSD? That would make it easier to maintain once it's merged.

The problem is that seccomp2 uses a filtering approach. Essentially, once you've whitelisted the things you want to access, you can call open(2), socket(2), etc. at will and on demand.

Capsicum takes a completely different approach, one that's fully incompatible with seccomp2. I've writting a PoC do demonstrate the approach I'm taking with this ticket: https://github.com/lattera/PoCs/tree/master/capsicum_fdpassing

Note that the code I've written in the Tor codebase has diverged quite a bit from the PoC. The PoC is ugly code meant to serve as a brain dump and code testing area.

Trac:
Username: shawn.webb

I've now made the code public. There's still a bit of work left to do.

https://github.com/lattera/tor/tree/hardening/capsicum

Trac:
Username: shawn.webb

Trac:
Milestone: Tor: unspecified to Tor: 0.3.3.x-final

This work is nearing completion for a milestone 1. I've diverged quite a bit from the original PoC. How should I proceed from here in getting the code reviewed and merged upstream?

The only known issue is that when sandbox mode is enabled on FreeBSD/HardenedBSD, transparent proxy mode breaks. I'm researching the breakage. Given that transparent proxy mode is not the primary use case nor is widely used, I feel like the current work can go in (pending code review and adjustments resulting from the review) with an errata patch later on.

Trac:
Username: shawn.webb

Trac:
Reviewer: N/A to ahf

Trac:
Milestone: Tor: 0.3.3.x-final to Tor: 0.3.4.x-final

I'm going to bring this work up-to-date with the latest master branch. It has a few merge conflicts. @ahf, would you have time to review this work after the merge conflicts are resolved?

Trac:
Username: shawn.webb

Yep! I'm going to Rome next week for the Tor dev meeting, so I probably wont get around to it until after the meeting is over.

Support capsicum(4) on FreeBSD

Child items ...

Activity